Authorities and researchers are sounding the alarm over the active mass exploitation of a high-severity vulnerability in Microsoft SharePoint Server that’s allowing attackers to make off with sensitive company data, including authentication tokens used to access systems inside networks. Researchers said anyone running an on-premises instance of SharePoint should assume their networks are breached.
The vulnerability, tracked as CVE-2025-53770, carries a severity rating of 9.8 out of a possible 10. It gives unauthenticated remote access to SharePoint Servers exposed to the Internet. Starting Friday, researchers began warning of active exploitation of the vulnerability, which affects SharePoint Servers that infrastructure customers run in-house. Microsoft’s cloud-hosted SharePoint Online and Microsoft 365 are not affected.
Not your typical webshell
Microsoft confirmed the attacks on the then-zeroday exploit on Saturday. A day later, the company updated the post to make available an emergency update patching the vulnerability, and a related one tracked as CVE-2025-53771, in SharePoint Subscription Edition and SharePoint 2019.Customers using either version should apply the updates immediately. SharePoint 2016 remained unpatched at the time this Ars post went live. Microsoft said that organizations using this version should install the Antimalware Scam Interface.
The exploitation chain observed is closely related to chains demonstrated in May at the Pwn2Own hacking competition in Berlin for two separate vulnerabilities. The exploited vulnerabilities, tracked as CVE-2025-49704 and CVE-2025-49706, were partially patched two weeks ago in Microsoft's monthly update release. This weekend’s patches for CVE-2025-53770 and CVE-2025-53771 include “more robust protections” for CVE-2025-49704 and CVE-2025-49706 respectively, Microsoft said.